Shadow Defender bypassed by TDL rootkits???

Page 1 of 3 1, 2, 3  Next

View previous topic View next topic Go down

Shadow Defender bypassed by TDL rootkits???

Post by Rico on 1/7/2010, 06:05

Hi I came across a thread on wilders about newer malware that seems to be able to penetrate the biggest players on the LV market.

Rico
Advanced Member
Advanced Member

Posts : 118
Join date : 2010-06-18

View user profile

Back to top Go down

Re: Shadow Defender bypassed by TDL rootkits???

Post by ssj100 on 1/7/2010, 06:50

I wouldn't be surprised if newer specific malware can bypass light virtualisation (system containment). I don't know of any and I certainly don't have any samples though.

What's more important is that Shadow Defender appears to be an abandoned product until Tony gets back to us (if he ever does):
http://www.shadowdefender.com/phpbb/viewtopic.php?f=2&t=330

Furthermore, I think patrick makes an extremely important point here (I bold the important parts):
...I think some users experienced problems in various versions (including recent) with corrupted files on re-boot and missing permissions, in my own case some of my Sygate Personal Firewall settings were lost on reboot (in more than one version). (Nero registration was lost at times in earlier versions)

The fact is, those users across other forums who always say "I've never had any problems with Shadow Defender etc", are probably not looking at their configurations etc carefully enough. I've certainly experienced what patrick describes above, and I know noorismail has too.

However, I think currently, Shadow Defender is probably quite a robust layer of protection against malware. My philosophy for "100%" computer security is combining default-deny anti-execution (eg. SRP/AppLocker, Faronics Anti-executable 3, well configured classical HIPS etc.) with containment (eg. Sandboxie, Shadow Defender, Returnil etc.).

However, given the above, I have stopped using light virtualisation technology. The concept is clever, but I personally feel that the technology/programming itself is intrinsically unstable. The same goes for rollback software like EAZ-FIX and Comodo Time Machine. There might be a reason why Windows' System Restore is so pathetic - perhaps Microsoft understand how unstable things can get if one goes too far.

In saying that, I hope Tony comes back and continues to develop Shadow Defender.

_________________
Sandboxie + LUA + SRP + DEP + SuRun
Windows Firewall + NAT Router + IPSec (on-demand)
VirtualBox (on-demand)
Drive SnapShot (on-demand)
avatar
ssj100
Administrator
Administrator

Posts : 1389
Join date : 2010-04-14

View user profile http://ssj100.fullsubject.com

Back to top Go down

Re: Shadow Defender bypassed by TDL rootkits???

Post by Rico on 1/7/2010, 07:17

ssj100 wrote:
In saying that, I hope Tony comes back and continues to develop Shadow Defender.

+1

I wish him all the best, and hope he's ok.

If things unfortuneately playotu that SD is not being developed anymore, what product would you switch to and why?
Since you mentioned file corruption etc, does SD cause increasinf file fragmentation on disk as time goes on?

Rico
Advanced Member
Advanced Member

Posts : 118
Join date : 2010-06-18

View user profile

Back to top Go down

Re: Shadow Defender bypassed by TDL rootkits???

Post by ssj100 on 1/7/2010, 07:29

Rico wrote:If things unfortuneately playotu that SD is not being developed anymore, what product would you switch to and why?
Since you mentioned file corruption etc, does SD cause increasinf file fragmentation on disk as time goes on?

If I was still using this type of technology, I would be very unsure as to which product I would switch to. I suppose Returnil Free would be a possibility.

I don't think it's so much file corruption, but more lost or changed settings in certain programs. I remember being in Shadow Mode and browsing with Firefox (I did not change any Firefox settings). Then I rebooted and my Firefox browser had different settings (eg. Bookmarks toolbar appeared when I always have it disabled and not showing). I remember feeling extremely disappointed in Shadow Defender at that point, as I felt it just could not be reliable if it behaved like this. In other words, I rarely (in the last few years, never) get infected by malware, and Shadow Defender was effectively acting as a malware for me!

Anyway, I couldn't reproduce the above issue consistently (I think I've come across it about 3-4 times), which gave me even more doubt of Shadow Defender's reliability/stability/safety. Perhaps I experienced issues because I had Sandboxie installed with it, who knows. As I have warned repeatedly across many forums including this one, installing more than one security program which hits the kernel will increase your risk of conflict. The problem is that we don't really know how high/low this risk is.

_________________
Sandboxie + LUA + SRP + DEP + SuRun
Windows Firewall + NAT Router + IPSec (on-demand)
VirtualBox (on-demand)
Drive SnapShot (on-demand)
avatar
ssj100
Administrator
Administrator

Posts : 1389
Join date : 2010-04-14

View user profile http://ssj100.fullsubject.com

Back to top Go down

Re: Shadow Defender bypassed by TDL rootkits???

Post by noorismail on 1/7/2010, 09:36

I have had many of these little "one-off" bugs,such as folder setting changing from thumbnail view to icon,my "Toggle Java Script" button,in Firefox, persisting in a setting after reboot in ShadowMode,,little things you cant reproduce,that still add up to a bad feeling.

If ShadowDefender is abandoned,I will stick with it for awhile and reformat,so I can start fresh,and use LUA/SRP and Sandboxie.

Probably nothing else.

noor

_________________
ShadowDefender 1.1.0.323 Sandboxie 3.49, NAT router.
Open DNS with "Malware/Botnet Protection",
MalwareDefender,Malwarebytes on demand.
avatar
noorismail
Moderator
Moderator

Posts : 193
Join date : 2010-06-23

View user profile

Back to top Go down

Re: Shadow Defender bypassed by TDL rootkits???

Post by Guest on 2/7/2010, 05:35

Yes I had settings changes on Avast and Malwarbytes where I had asked them to connect to website automatically for update suddenly had popups asking again after re-boot from Shadow Defender and other things like that that I found unnerving. Lost settings and registrations. Software needed re-registering occasionally.
As you say Noorismail, this did not happen consistantly or after every re-boot but just seemed at random and in early versions of Shadow Defender Nero re-set itself to a pre-registered state. (I was not the only one that had that) Tony accepted it was happening.

Guest
Guest


Back to top Go down

Re: Shadow Defender bypassed by TDL rootkits???

Post by noorismail on 2/7/2010, 06:46

Plus,with a small user base,and the transitory nature of the "bugs",
It must be very hard to fix them.

I say small user base,Patrick,do you know if ShadowDefender is widely used in China?

_________________
ShadowDefender 1.1.0.323 Sandboxie 3.49, NAT router.
Open DNS with "Malware/Botnet Protection",
MalwareDefender,Malwarebytes on demand.
avatar
noorismail
Moderator
Moderator

Posts : 193
Join date : 2010-06-23

View user profile

Back to top Go down

Re: Shadow Defender bypassed by TDL rootkits???

Post by ssj100 on 2/7/2010, 06:52

By the way, it seems the rootkit bypassed Returnil, Wondershare Time Freeze (no surprise I guess) and Comodo Time Machine also. It would be interesting to know if it can bypass Rollback Rx/EAZ-FIX.

I'm currently trying to get hold of the sample(s) so I can do some testing.

_________________
Sandboxie + LUA + SRP + DEP + SuRun
Windows Firewall + NAT Router + IPSec (on-demand)
VirtualBox (on-demand)
Drive SnapShot (on-demand)
avatar
ssj100
Administrator
Administrator

Posts : 1389
Join date : 2010-04-14

View user profile http://ssj100.fullsubject.com

Back to top Go down

Re: Shadow Defender bypassed by TDL rootkits???

Post by Guest on 2/7/2010, 07:13

I got the impression somehow that it was better known in China but just gleaned bits from forums
Chinese forum translated







noorismail wrote:Plus,with a small user base,and the transitory nature of the "bugs",
It must be very hard to fix them.

I say small user base,Patrick,do you know if ShadowDefender is widely used in China?

Guest
Guest


Back to top Go down

Re: Shadow Defender bypassed by TDL rootkits???

Post by Rico on 3/7/2010, 00:35

Hopefully shadowdefender is only in a temporary developing hiatus; so noor would you ever consider going back to returnil or not?
If not then why? What are the main reasons that made sd better than returnil(free) ?-- cuz I hate subscriptionware

Rico
Advanced Member
Advanced Member

Posts : 118
Join date : 2010-06-18

View user profile

Back to top Go down

Re: Shadow Defender bypassed by TDL rootkits???

Post by noorismail on 3/7/2010, 02:04

Hi Rico.
Yes,I really preferred the Returnil Premium 2008 version over ShadowDefender.

The problem with the free version,for me,is there is no commit to the real disk functionality.

I just did not like Returnil 2010 version at all. The added Av component was a drag,(literally and figuratively!!)

The 2008 version, on the other hand,had a simple,anti-executable,set to off by default,that once I enabled ,I loved. It worked in and out of "Shadow Mode".

Returnil Premium,or "HomeLux",is as you said,subscription ware,and rather expensive,at that.

The thing is,they run so many promotions a person could run the paid version for years,with out paying up if they keep their eyes open,and check the forums.

I still had two months on my one year gift subscription to Returnil 2008,when I picked a full year from their Facebook promotion for Returnil 2010!!


They say Returnil has a "labs" version,that is more sleek,and similar to the 2008 version.

noor

_________________
ShadowDefender 1.1.0.323 Sandboxie 3.49, NAT router.
Open DNS with "Malware/Botnet Protection",
MalwareDefender,Malwarebytes on demand.
avatar
noorismail
Moderator
Moderator

Posts : 193
Join date : 2010-06-23

View user profile

Back to top Go down

Re: Shadow Defender bypassed by TDL rootkits???

Post by ssj100 on 3/7/2010, 03:11

Back on topic, I've been struggling to test various TDL/TDSS rootkits in my VM with VirtualBox. My testing configuration is as follows:

1. Host system: Windows XP Pro SP3, 32-bit (fully patched)
2. Guest system: Windows XP Pro SP3, 32-bit (last patched September 2009)

After running the rootkits (including the "dogma.exe" one) the Guest system appears to restart spontaneously (crash?). After waiting a couple of minutes, I run Kaspersky's anti-rootkit tool ( http://support.kaspersky.com/downloads/utils/tdsskiller.zip ) and nothing is found. I reboot the system and again wait a couple of minutes. Then I re-run the anti-rootkit tool and again nothing is found.

I've tested the above with at least 5 different TDL/TDSS rootkits and get the same result. After reading the web, it seems no one has used exactly the same configuration as me. Most people seem to be using VirtualPC to do their testing (instead of VirtualBox).

_________________
Sandboxie + LUA + SRP + DEP + SuRun
Windows Firewall + NAT Router + IPSec (on-demand)
VirtualBox (on-demand)
Drive SnapShot (on-demand)
avatar
ssj100
Administrator
Administrator

Posts : 1389
Join date : 2010-04-14

View user profile http://ssj100.fullsubject.com

Back to top Go down

Re: Shadow Defender bypassed by TDL rootkits???

Post by nick s on 3/7/2010, 09:22

ssj100 wrote:2. Guest system: Windows XP Pro SP3, 32-bit (last patched September 2009...
A somewhat educated guess...

I believe the XP kernel has been updated at least twice since September 2009. Any given TDL rootkit sample is coded to work with a certain OS kernel version. The BSODs you see are probably the result of mismatched sample and kernel versions. A good example of this mismatch crash is what happened after February 2010's Patch Tuesday. MS updated the kernel and, as a result, systems with existing TDL infections generally would go into a startup BSOD loop. Some would BSOD later on after logging in. MS had to pull the update. TDL's developers quickly released a version compatible with the new kernel.

When I test TDL samples using VMware, I go with the latest TDL version on a fully patched XP SP3.

nick s
Valued Member
Valued Member

Posts : 14
Join date : 2010-04-18

View user profile

Back to top Go down

Re: Shadow Defender bypassed by TDL rootkits???

Post by ssj100 on 3/7/2010, 09:26

Thanks for the tip nick s. I'll try patching the VM and see how it plays. I'm not sure if it will work though, as I read somewhere that people have used unpatched OS's for these tests (although I don't know how unpatched).

_________________
Sandboxie + LUA + SRP + DEP + SuRun
Windows Firewall + NAT Router + IPSec (on-demand)
VirtualBox (on-demand)
Drive SnapShot (on-demand)
avatar
ssj100
Administrator
Administrator

Posts : 1389
Join date : 2010-04-14

View user profile http://ssj100.fullsubject.com

Back to top Go down

Re: Shadow Defender bypassed by TDL rootkits???

Post by nick s on 3/7/2010, 09:43

ssj100 wrote:Thanks for the tip nick s. I'll try patching the VM and see how it plays.
That's the first thing I would try. You can always get the latest TDL builds at KernelMode.info.

nick s
Valued Member
Valued Member

Posts : 14
Join date : 2010-04-18

View user profile

Back to top Go down

Re: Shadow Defender bypassed by TDL rootkits???

Post by ssj100 on 3/7/2010, 10:14

nick s wrote:
ssj100 wrote:Thanks for the tip nick s. I'll try patching the VM and see how it plays.
That's the first thing I would try. You can always get the latest TDL builds at KernelMode.info.

Didn't make any difference I'm afraid.

_________________
Sandboxie + LUA + SRP + DEP + SuRun
Windows Firewall + NAT Router + IPSec (on-demand)
VirtualBox (on-demand)
Drive SnapShot (on-demand)
avatar
ssj100
Administrator
Administrator

Posts : 1389
Join date : 2010-04-14

View user profile http://ssj100.fullsubject.com

Back to top Go down

Re: Shadow Defender bypassed by TDL rootkits???

Post by ssj100 on 3/7/2010, 12:12

Okay, it seems these rootkits are probably VirtualBox aware. Pity.

_________________
Sandboxie + LUA + SRP + DEP + SuRun
Windows Firewall + NAT Router + IPSec (on-demand)
VirtualBox (on-demand)
Drive SnapShot (on-demand)
avatar
ssj100
Administrator
Administrator

Posts : 1389
Join date : 2010-04-14

View user profile http://ssj100.fullsubject.com

Back to top Go down

Re: Shadow Defender bypassed by TDL rootkits???

Post by noorismail on 3/7/2010, 14:54

Sturm und Dreck with ShadowDefender ( Light Virtualization).

http://www.wilderssecurity.com/showthread.php?t=276210

Much of it seeming to confirm ssj100's testing in virtual box.
(aware,wont run)
Some of it "faith-based" for the moment,feeding my
incipient fanboitis.

This is exciting as the BoClean battle of sainted memory.
Only this time,I have a horse in the running!!

noor
avatar
noorismail
Moderator
Moderator

Posts : 193
Join date : 2010-06-23

View user profile

Back to top Go down

Re: Shadow Defender bypassed by TDL rootkits???

Post by ssj100 on 3/7/2010, 15:21

Yes, it appears that Shadow Defender is the only program of its type that protects the system against these rootkits. Just goes to show that single developer software is the best haha.

The biggest surprise is that EAZ-FIX/Rollback Rx and Comodo Time Machine fail. I'd bet the EAZ-FIX/Rollback Rx forums (if one exists) will be full of "patch this ASAP!" cries.

The Comodo Time Machine forum certainly is alive and kicking:
https://forums.comodo.com/news-announcements-feedback-ctm/does-ctm-protect-against-tdsstdl-rootkits-t58723.0.html

It's also interesting to see Coldmoon (Returnil associate) make comment. His arguments appear (not surprisingly) very biased and watered down (in an attempt) to grey out the FACT that Returnil is BYPASSED well and truly. I wouldn't be surprised if he's searching for Tony to ask him how the heck Shadow Defender works haha. Coldmoon's argument appears to be that Returnil's light system virtualisation component cannot be relied upon as the only layer of security etc etc.

_________________
Sandboxie + LUA + SRP + DEP + SuRun
Windows Firewall + NAT Router + IPSec (on-demand)
VirtualBox (on-demand)
Drive SnapShot (on-demand)
avatar
ssj100
Administrator
Administrator

Posts : 1389
Join date : 2010-04-14

View user profile http://ssj100.fullsubject.com

Back to top Go down

Re: Shadow Defender bypassed by TDL rootkits???

Post by noorismail on 4/7/2010, 03:10

Really I am surprised that Returnil2010 failed with all the added bells and whistles.

And ShadowDefender passed,just no-one really can say how!

I do thank Returnil is going toward a suite paradigm.

Maybe they preceive some upper limit with what can be done with just
light virtualization.

Or, maybe they had just rather bolt more stuff on, than refine
the base tech.

ShadowDefender seems to certainly have done more with less,for the moment.

noor

_________________
ShadowDefender 1.1.0.323 Sandboxie 3.49, NAT router.
Open DNS with "Malware/Botnet Protection",
MalwareDefender,Malwarebytes on demand.
avatar
noorismail
Moderator
Moderator

Posts : 193
Join date : 2010-06-23

View user profile

Back to top Go down

Shadow Defender 1.1.0.3.26 bypassed but not 1.1.0.325

Post by Guest on 4/7/2010, 04:36

I noticed this on Wilders post 66 Leach

Shadow Defender 1.1.0.3.26 bypassed but not 1.1.0.325

Guest
Guest


Back to top Go down

Re: Shadow Defender bypassed by TDL rootkits???

Post by ssj100 on 4/7/2010, 04:48

patrick wrote:I noticed this on Wilders post 66 Leach

Shadow Defender 1.1.0.3.26 bypassed but not 1.1.0.325

That post confused the heck out of me (from a tester's perspective haha). It sounds like he's getting the rootkit to work in VirtualBox (when I had confirmation from another tester that it doesn't) but that the rootkit behaves strangely etc.

Anyway, interesting that 1.1.0.326 is bypassed but not 1.1.0.325. That is just bizarre. I wonder if the test has been repeated? I'd like to see it being repeated about 10 times to confirm that Shadow Defender is giving consistent results (as we know, Shadow Defender is known to give some rather inconsistent results).

_________________
Sandboxie + LUA + SRP + DEP + SuRun
Windows Firewall + NAT Router + IPSec (on-demand)
VirtualBox (on-demand)
Drive SnapShot (on-demand)
avatar
ssj100
Administrator
Administrator

Posts : 1389
Join date : 2010-04-14

View user profile http://ssj100.fullsubject.com

Back to top Go down

Re: Shadow Defender bypassed by TDL rootkits???

Post by noorismail on 4/7/2010, 05:00

It is confusing. try post 54.

Differences in XP host/guest editions of XP effecting the test.

have to wonder about 1.1.0.323.

noor

_________________
ShadowDefender 1.1.0.323 Sandboxie 3.49, NAT router.
Open DNS with "Malware/Botnet Protection",
MalwareDefender,Malwarebytes on demand.
avatar
noorismail
Moderator
Moderator

Posts : 193
Join date : 2010-06-23

View user profile

Back to top Go down

Re: Shadow Defender bypassed by TDL rootkits???

Post by ssj100 on 4/7/2010, 05:09

Post 54 confuses me even more haha. However, I think he is still saying that with the following configuration, the rootkits can install and infect in VirtualBox:

1. Host system: Windows XP Pro SP3, 32-bit (fully patched)
2. Guest system: Windows XP Pro SP3, 32-bit (last patched September 2009)

However, this guy agrees with me and says he has to use VPC to get the rootkit to work:
https://forums.comodo.com/news-announcements-feedback-ctm/does-ctm-protect-against-tdsstdl-rootkits-t58723.0.html;msg411973#msg411973

It's same as i had experienced, i think it's Vbox-aware.
try again with Virtual PC.

_________________
Sandboxie + LUA + SRP + DEP + SuRun
Windows Firewall + NAT Router + IPSec (on-demand)
VirtualBox (on-demand)
Drive SnapShot (on-demand)
avatar
ssj100
Administrator
Administrator

Posts : 1389
Join date : 2010-04-14

View user profile http://ssj100.fullsubject.com

Back to top Go down

Re: Shadow Defender bypassed by TDL rootkits???

Post by noorismail on 4/7/2010, 07:01

I see print spooler service is mentioned in post 69 of the Wilders thread,discussed.

I wonder if this is an assumption from the last incident,or if it is implicated in these problems as well?

Surely the new malware would not try to exploit the same point?

_________________
ShadowDefender 1.1.0.323 Sandboxie 3.49, NAT router.
Open DNS with "Malware/Botnet Protection",
MalwareDefender,Malwarebytes on demand.
avatar
noorismail
Moderator
Moderator

Posts : 193
Join date : 2010-06-23

View user profile

Back to top Go down

Re: Shadow Defender bypassed by TDL rootkits???

Post by Sponsored content


Sponsored content


Back to top Go down

Page 1 of 3 1, 2, 3  Next

View previous topic View next topic Back to top


 
Permissions in this forum:
You cannot reply to topics in this forum